What is the meaning of setting dsa-flags = shadow

Document ID : KB000056468
Last Modified Date : 14/02/2018
Show Technical Document Details

When an update is sent directly to a data DSA marked as "shadow", the DSA will refuse to process the update, and will generate the following error:

-> #0 LDAP ADD-ENTRY-REFUSE 
   invoke-id = 12 credit = 1 
   Service Error: Directory unwilling to perform 

A dsa-flag of "Shadow" indicates to a CA Directory backbone that the DSA can only process updates received from other multi-write DSA's. A "shadow" DSA cannot execute update operation sent directly to it from either CA Directory routers or LDAP clients. Any operations sent directly to it from router DSAs or LDAP clients will be refused.